PARKVILLE, Md. (WJZ) — A Baltimore man says he discovered major security holes in University of Maryland computer systems months before the university announced a massive data breach affected hundreds of thousands connected to the College Park campus.
Derek Valcourt has more on the man now raising eyebrows in this expanding investigation.
He’s now wrapped up in an FBI investigation into the data breach, but tells WJZ he was just trying to be a whistleblower.
“I found a hole in their system,” David Helkowski said.
He calls himself a hacker. In an exclusive interview with WJZ, Helkowski says he knew and even warned about the potential for a sophisticated cyber attack on computer systems at the University of Maryland four months before the university announced a data breach, jeopardizing the names, birth dates and other sensitive information of more than 300,000 students, faculty and alumni.
“I went into the systems, I found how bad their security was and then I passed that information on to the university,” said Helkowski.
At the time of the cyber attack, Helkowski worked for Baltimore-based cyber consulting firm The Canton Group, contracted to do work for the university.
He says weeks after the cyber attack he again found vulnerabilities.
“At that point, we were like, ‘Whoa, this is really bad.’ This security hole was not only still here after the breach that was in the news, but it’s equal and greater than that,” said Helkowski.
Concerned his discovery was falling on deaf ears, he began posting anonymous warnings–contained in the FBI affadavit–and went so far as to post university president Wallace Loh’s social security number online.
The FBI soon traced those warnings back to Helkowski.
“That’s going to get me into a lot of trouble. I could do jail time as a result of doing that,” Helkowski said. “That was never my intent. My intent was only ever to help them and say, ‘Here’s the seriousness of these issues. You really need to take care of these things.'”
University officials would not comment on the Helkowski investigation. Neither would the FBI, who is working with a university security task force investigating the data breach.
The FBI executed search warrants at Helkowski’s Parkville home, confiscating thousands of dollars worth of sophisticated computer equipment. He says he is cooperating and has handed over all of his encrypted passwords.
The Canton Group says Helkowski is no longer employed there and they are working with all law enforcement agencies.
Helkowski has not been charged with any crimes, but fears the possible repercussions of his actions.
“At the time, I was believing what I was doing to be right,” said Helkowski. “The problem is, if I’m aware of something not being legal, I should not be doing those things. And I understand that. And I understand that there are going to be potential consequences for that.”
Helkowski says he believes the university has addressed and fixed their security vulnerabilities. He insists he had no role in the data breach and was just trying to help.
No arrests have been made in that breach. The FBI’s investigation into all of this is ongoing.
Other Local News: